Access control methods, access control devices, and computer readable media

ABSTRACT

An access control method, which may be applied in a cloud environment, is provided in various embodiments. The access control method includes: receiving from a user a request for access to a resource; determining a group access key related to the resource; determining a user key of the user; determining whether the group key is an integer multiple of the user key; and granting the user access to the resource if it is determined that the group access key is an integer multiple of the user key.

PRIORITY CLAIM

The present application claims priority to Singapore patent application10201601212S.

TECHNICAL FIELD

The following discloses access control methods, access control devices,and computer readable media.

BACKGROUND

In a cloud environment, files and directories exist as objects hosted bya third party such as a cloud provider, and a service provider can adopta mechanism commonly used in file system to carry out access control.However, enterprise users may want to user their own access controlmechanism. Although some providers allow federated access to integratethe other party's access control solutions, there is no secure groupaccess control solution applicable to cloud environments such thataccess of resources can be controlled from a cloud infrastructurewithout disclosing sensitive or private information.

Thus, there is a want for an enhanced group access control method.

SUMMARY OF INVENTION

According to various embodiments, an access control method may beprovided. The access control method may include: receiving from a user arequest for access to a resource; determining a group access key relatedto the resource; determining a user key of the user; determining whetherthe group access key is an integer multiple of the user key; andgranting the user access to the resource if it is determined that thegroup access key is an integer multiple of the user key.

According to various embodiments, the sum of the group access key and ahash value may be stored.

According to various embodiments, the access control method may furtherinclude: authenticating the user.

According to various embodiments, authenticating the user may include:determining a public key related to the user, wherein the public key isbased on a product of a first private key of the user and a secondprivate key of the user; determining whether the user is in possessionof the first private key; and granting the user authentication if it isdetermined that the user is in possession of the first private key.

According to various embodiments, determining whether the user is inpossession of the first private key may include: providing the user witha residual of a square of a pre-determined number with respect to thepublic key; receiving a number from the user in response to providingthe user with the residual of the square of the pre-determined numberwith respect to the public key; determining whether a residual of asquare of the received number with respect to the public key isidentical to the residual of a square of the pre-determined number withrespect to the public key; and determining that the user is inpossession of the first private key if it is determined that theresidual of the square of the received number with respect to the publickey is identical to the residual of the square of the pre-determinednumber with respect to the public key.

According to various embodiments, the access control method mayadminister access to the resource for a group of users, wherein thegroup of users includes at least one actual member and at least onepseudo member.

According to various embodiments, the access control method may furtherinclude removing a pseudo member from the group performed when an actualmember is added to the group.

According to various embodiments, the access control method may furtherinclude multiplying the group access key by a number equal to a user keyof the user to be added to the group multiplied by an inverse of a userkey of the pseudo member to be removed from the group when the actualmember is added to the group.

According to various embodiments, the access control method may furtherinclude adding a pseudo member to the group when an actual member isremoved from to the group.

According to various embodiments, the access control method may furtherinclude multiplying the group access key by a number equal to theinverse of a user key of the user to be removed from the groupmultiplied by a user key of the pseudo member to be added to the groupwhen the actual member is removed from the group.

According to various embodiments, an access control device may beprovided. The access control device may include: a receiver configuredto receive from a user a request for access to a resource; an accesscircuit configured to determine a group access key related to theresource; wherein the access circuit is configured to determine a userkey of the user; wherein the access circuit is configured to determinewhether the group access key is an integer multiple of the user key; andwherein the access circuit is configured to grant the user access to theresource if it is determined that the group access key is an integermultiple of the user key.

According to various embodiments, the access circuit may be configuredto store the sum of the group access key and a hash value.

According to various embodiments, the access circuit may be configuredto authenticate the user, wherein authenticating the user may include:determining a public key related to the user, wherein the public key isbased on a product of a first private key of the user and a secondprivate key of the user; determining whether the user is in possessionof the first private key; and granting the user authentication if it isdetermined that the user is in possession of the first private key.

According to various embodiments, determining whether the user is inpossession of the first private key may include: providing the user witha residual of a square of a pre-determined number with respect to thepublic key; receiving a number from the user in response to providingthe user with the residual of the square of the pre-determined numberwith respect to the public key; determining whether a residual of asquare of the received number with respect to the public key isidentical to the residual of a square of the pre-determined number withrespect to the public key; and determining that the user is inpossession of the first private key if it is determined that theresidual of the square of the received number with respect to the publickey is identical to the residual of the square of the pre-determinednumber with respect to the public key.

According to various embodiments, the access circuit may be configuredto administer access to the resource for a group of users, wherein thegroup of users includes at least one actual member and at least onepseudo member.

According to various embodiments, the access circuit may be configuredto remove a pseudo member from the group is performed when an actualmember is added to the group.

According to various embodiments, the access circuit may be configuredto multiply the group access key by a number equal to a user key of theuser to be added to the group multiplied by an inverse of a user key ofthe pseudo member to be removed from the group when the actual member isadded to the group.

According to various embodiments, the access circuit may be configuredto add a pseudo member to the group is performed when an actual memberis removed from to the group.

According to various embodiments, the access circuit may be configuredto multiply the group access key by a number equal to the inverse of auser key of the user to be removed from the group multiplied by a userkey of the pseudo member to be added to the group when the actual memberis removed from the group.

According to various embodiments, a computer readable medium may beprovided. The computer readable medium may include instructions which,when executed by a processor, make the processor perform an accesscontrol method. The access control method may include: receiving from auser a request for access to a resource; determining a group access keyrelated to the resource; determining a user key of the user; determiningwhether the group access key is an integer multiple of the user key; andgranting the user access to the resource if it is determined that thegroup access key is an integer multiple of the user key.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying figures, where like reference numerals refer toidentical or functionally similar elements throughout the separate viewsand which together with the detailed description below are incorporatedin and form part of the specification, serve to illustrate variousembodiments, by way of example only, and to explain various principlesand advantages in accordance with a present embodiment.

FIG. 1A shows a flow diagram illustrating an access control methodaccording to various embodiments.

FIG. 1B shows an access control device according to various embodiments.

FIG. 2 shows an illustration of various data sets according to variousembodiments.

FIG. 3 shows an illustration of data according to various embodiments.

FIG. 4 shows an illustration of oblivious identification according tovarious embodiments.

FIG. 5 shows an illustration of flexible group access control accordingto various embodiments.

FIG. 6 shows an illustration of oblivious identification according tovarious embodiments.

FIG. 7 shows an illustration of secure yet flexible access controlaccording to various embodiments.

FIG. 8 shows an illustration of data sharing on the cloud according tovarious embodiments.

FIG. 9 shows an illustration of data uploading (for example using avirtual group key manager according to various embodiments) to a cloudaccording to various embodiments.

FIG. 10 shows an illustration of data sharing (for example using avirtual group key manager according to various embodiments) on a cloudaccording to various embodiments.

FIG. 11 shows an illustration of member revocation or member revoking(for example using a virtual group key manager according to variousembodiments) on a cloud according to various embodiments.

FIG. 12 shows a computer system according to various embodiments.

Skilled artisans will appreciate that elements in the figures areillustrated for simplicity and clarity and have not necessarily beendepicted to scale. For example, the dimensions of some of the elementsin the block diagrams or steps in the flowcharts may be exaggerated inrespect to other elements to help improve understanding of the presentembodiment.

DETAILED DESCRIPTION

The following detailed description is merely exemplary in nature and isnot intended to limit the invention or the application and uses of theinvention. Furthermore, there is no intention to be bound by any theorypresented in the preceding background of the invention or the followingdetailed description. It is the intent of the preferred embodiments todisclose a method and system which is able to grant access to userswhich are members in a group.

Some portions of the description which follows are explicitly orimplicitly presented in terms of algorithms and functional or symbolicrepresentations of operations on data within a computer memory. Thesealgorithmic descriptions and functional or symbolic representations arethe means used by those skilled in the data processing arts to conveymost effectively the substance of their work to others skilled in theart. An algorithm is here, and generally, conceived to be aself-consistent sequence of steps leading to a desired result. The stepsare those requiring physical manipulations of physical quantities, suchas electrical, magnetic or optical signals capable of being stored,transferred, combined, compared, and otherwise manipulated.

Unless specifically stated otherwise, and as apparent from thefollowing, it will be appreciated that throughout the presentspecification, discussions utilizing terms such as “calculating”,“determining”, “receiving”, “granting”, “sending”, or the like, refer tothe action and processes of a computer system, or similar electronicdevice, that manipulates and transforms data represented as physicalquantities within the computer system into other data similarlyrepresented as physical quantities within the computer system or otherinformation storage, transmission or display devices.

The present specification also discloses apparatus for performing theoperations of the methods. Such apparatus may be specially constructedfor the required purposes, or may comprise a general purpose computer orother device selectively activated or reconfigured by a computer programstored in the computer. The algorithms presented herein are notinherently related to any particular computer or other apparatus.Various general purpose machines may be used with programs in accordancewith the teachings herein. Alternatively, the construction of morespecialized apparatus to perform the required method steps may beappropriate.

In addition, the present specification also implicitly discloses acomputer program, in that it would be apparent to the person skilled inthe art that the individual steps of the method described herein may beput into effect by computer code. The computer program is not intendedto be limited to any particular programming language and implementationthereof. It will be appreciated that a variety of programming languagesand coding thereof may be used to implement the teachings of thedisclosure contained herein. Moreover, the computer program is notintended to be limited to any particular control flow. There are manyother variants of the computer program, which can use different controlflows without departing from the spirit or scope of the invention.

Furthermore, one or more of the steps of the computer program may beperformed in parallel rather than sequentially. Such a computer programmay be stored on any computer readable medium. The computer readablemedium may include storage devices such as magnetic or optical disks,memory chips, or other storage devices suitable for interfacing with ageneral purpose computer. The computer readable medium may also includea hard-wired medium such as exemplified in the Internet system, orwireless medium such as exemplified in the GSM mobile telephone system.The computer program when loaded and executed on such a general-purposecomputer effectively results in an apparatus that implements the stepsof the preferred method. The computer readable medium may be anon-volatile computer readable medium. The computer readable medium maybe a volatile computer readable medium. The computer readable medium maybe a non-transitory computer readable medium.

According to various embodiments, devices and methods for virtual groupaccess control may be provided. A virtual group may be understood as agroup of users (in other words: a group of members). Each user of thegroup of users may have access to a pre-determined resource, such asdata (for example a file or directory) or a service (such as acomputational resource or computing service). According to variousembodiments, a virtual group access control protocol may be provided ina cloud computing environment. Devices and methods for securelycontrolling cloud resources may be provided, for example by deploying aproxy on a cloud infrastructure.

Cloud storage may provide users with flexible accessibility to theirresources such as files and folders (in other words: directories). Usersmay access their data anywhere anytime as long as network connection tothe cloud, for example internet connection, is available. Users mayshare their resources with peers and friends easily through cloudservices. However, it is the provider's capability to provide accesscontrol which lets enterprise worry about data leakage. Cloud providersmay enable federated access to allow enterprise users setup a proxy todo third-party access control, which leaves the question of securedeployment of proxy to enterprise user. According to variousembodiments, secure deployment of key manager proxy to do access controlover the resources on the cloud may be provided.

Access control has been used by file system, existing as a form ofutility. Files and directories have permission sets for their owners,the associated groups and all other users for the system. These accesscontrol features normally exist as metadata in cleartext and themetadata may be kept in an on-disk structure called an “inode”. Eachread or write may be controlled by checking the corresponding permissionin inode. It's an efficient and lightweight access control. File datanormally are stored in data blocks, existing together with inode in thelocal file system.

In a cloud environment, files and directories exist as objects hosted bya third party such as a cloud provider, and a service provider can adopta mechanism commonly used in file system to carry out access control.However, enterprise users may want to user their own access controlmechanism. Although some providers allow federated access to integratethe other party's access control solutions, there is no secure groupaccess control solution applicable to cloud environments such thataccess of resources can be controlled from a cloud infrastructurewithout disclosing sensitive or private information.

In the following, access control in a traditional file system will bedescribed.

Most file systems use permissions or access rights to specific users andgroups of users. Permissions are managed in three distinct scopes orclasses, known as user, group and others. These read permission grantsthe ability to read a file; the write permission grants the ability towrite a file; the execute permission grants the ability to execute afile. An example of symbolic notation of a file permission is asfollows:

-rwxr-xr-x: a regular file whose user class has full permissions andwhose group and others classes have only the read and executepermissions.

When a user accesses a file, the system checks whether the user is theowner, group user or other user and then grants or denies its accessrequest according to the corresponding permission of the file.

This access control is very simple and efficient for file system bychecking the file's metadata (in other words: the inode of the file)which includes the above permission to grant or deny a user's read/writerequests. It is applicable for local file system. While in cloudenvironment, users such as for example enterprises prefer their own andcustomized access control, which are invisible to the file system atcloud. According to various embodiments, a privacy preserved metadata isprovided to do access control at federated access proxy. The metadata isused to do access check without knowing or revealing the user'sidentity.

In commonly used systems, access control is bounded by an object, andstored as attributes with the object for federated access. In commonlyused systems, user-password/PIN (personal identification number)identification may be provided, wherein secrets are given (in otherwords: revealed or released), and secrets may be visible to theverification party. In commonly used systems, access control may beprovided, wherein permission attributes are used to decide user accessor group access, and the verification party must be trusted.

In the following, Amazon Identity Federation will be described.

AWS (Amazon Web Services) Identity and Access Management (IAM) supportsidentity federation for delegated access to the AWS Management Console.Through this management console, end users can access files stored onAmazon cloud storage (S3). With identity federation, external identities(for example federated users) are granted secure access to resources inyour AWS account without having to create IAM users. These externalidentities can come from your corporate identity provider (such asMicrosoft Active Directory or from the AWS Directory Service) or from aweb identity provider, such as Amazon Cognito, Login with Amazon,Facebook, Google or any OpenID Connect (OIDC) compatible provider.

This federation solution requires a small client application running onenterprise staff's work station. The application talks to a “federationproxy”, first it log into the external identity system, e.g., corporatedirectory system; then the proxy requests temporary security credentialsfor each user from AWS service. These credentials are associated with aset of permissions and expire period. These credentials get passed backto the client application, providing secure and direct access to the S3bucket.

However, such an external identity system does not suit to deploy oncloud environment if these above external identity providers cannotprovide privacy preserved identity.

According to various embodiments, an external identity proxy withprivacy protection is provided, which may be securely deployed on acloud environment. According to various embodiments, secure groupmanagement for object access control may be provided, where data issecured against a proxy sitting on the cloud, against the serviceprovider, and against individual users.

According to various embodiments, secrets are used for checking insteadof being released, and verification may be performed without knowing thesecrets. According to various embodiments, verification evaluation maybe used to decide access, and verification may be outsourced.

According to various embodiments, secure access control over cloudresources (e.g., objects) may be provided, and leaking information tothird parties is avoided. With a virtual group key manager (VGKM)according to various embodiments as a proxy sitting on cloud, the proxymay securely verify the user's identity by oblivious identification forusers. The proxy may efficiently control the access on the resourcesover the cloud. Oblivious identification may allow the proxy to identifylegitimate users without knowing a user's secret and make it deployableon a public cloud. Efficient access control allows enterprise to dotheir own on-demand membership checking, member recruiting (or memberadding) and revocating (or revoking) by their own policies instead ofprovider's mechanisms.

Various embodiments allow secure membership checking and flexible accesscontrol on resources over cloud. Various embodiments are independent ona specific service, and may be applicable to any cloud services.

According to various embodiments, oblivious identification may beprovided, wherein it is determined whether a user is who he claims tobe, without revealing secrets. Oblivious identification according tovarious embodiments may be applicable for authentication even on anuntrusted party. According to various embodiments, flexible groupauthentication/access control may be provided, which is transparent toexisting members when new members are joining or members are leaving thegroup. Objects may be bound by access control, and verification may beperformed with object attributes.

FIG. 1A shows a flow diagram 100 illustrating an access control methodaccording to various embodiments. In 102, a request for access to aresource may be received from a user. In 104, a group access key relatedto the resource may be determined. In 106, a user key of the user may bedetermined. In 108, it may be determined whether the group access key isan integer multiple of the user key. In 110, the user may be grantedaccess to the resource if it is determined that the group access key isan integer multiple of the user key.

According to various embodiments, the sum of the group access key and ahash value may be stored.

According to various embodiments, the access control method may furtherinclude: authenticating the user.

According to various embodiments, authenticating the user may include:determining a public key related to the user, wherein the public key isbased on a product of a first private key of the user and a secondprivate key of the user; determining whether the user is in possessionof the first private key; and granting the user authentication if it isdetermined that the user is in possession of the first private key. Itwill be understood that it is enough to provide proof of being inpossession of the first private key to authenticate as the user, becausethe second private key may be derived from the public key and the firstprivate key (in other words: if someone knows the public key and thefirst private key, it is easy for him to determine the second privatekey, and as such, it is not necessary to require proof of being inpossession of the first private key and the second private key one ofthe first private key or the second private key is enough).

According to various embodiments, determining whether the user is inpossession of the first private key may include: providing the user witha residual of a square of a pre-determined number with respect to thepublic key; receiving a number from the user in response to providingthe user with the residual of the square of the pre-determined numberwith respect to the public key; determining whether a residual of asquare of the received number with respect to the public key isidentical to the residual of a square of the pre-determined number withrespect to the public key; and determining that the user is inpossession of the first private key if it is determined that theresidual of the square of the received number with respect to the publickey is identical to the residual of the square of the pre-determinednumber with respect to the public key.

According to various embodiments, the access control method mayadminister access to the resource for a group of users, wherein thegroup of users includes at least one actual member and at least onepseudo member.

According to various embodiments, the access control method may furtherinclude removing a pseudo member from the group performed when an actualmember is added to the group.

According to various embodiments, the access control method may furtherinclude multiplying the group access key by a number equal to a user keyof the user to be added to the group multiplied by an inverse of a userkey of the pseudo member to be removed from the group when the actualmember is added to the group.

According to various embodiments, the access control method may furtherinclude adding a pseudo member to the group when an actual member isremoved from to the group.

According to various embodiments, the access control method may furtherinclude multiplying the group access key by a number equal to theinverse of a user key of the user to be removed from the groupmultiplied by a user key of the pseudo member to be added to the groupwhen the actual member is removed from the group.

FIG. 1B shows an access control device 112 according to variousembodiments. The access control device 112 may include: a receiver 114configured to receive from a user a request for access to a resource.The access control device 112 may further include an access circuit 116configured to determine a group access key related to the resource. Theaccess circuit 116 may further be configured to determine a user key ofthe user. The access circuit 116 may further be configured to determinewhether the group access key is an integer multiple of the user key. Theaccess circuit 116 may further be configured to grant the user access tothe resource if it is determined that the group access key is an integermultiple of the user key. The receiver 114 and the access circuit 116may be coupled, like indicated by line 118, for example electricallycoupled and/or optically coupled and/or mechanically coupled.

As used herein, the term “circuitry” may refer to, be part of, orinclude an Application Specific Integrated Circuit (ASIC), an electroniccircuit, a processor (shared, dedicated, or group), and/or memory(shared, dedicated, or group) that execute one or more software orfirmware programs, a combinational logic circuit and/or other suitablehardware components that provide the described functionality. In someembodiments, the circuitry may be implemented in, or functionsassociated with the circuitry may be implemented by, one or moresoftware or firmware modules. In some embodiments, circuitry may includelogic, at least partially operable in hardware. Embodiments describedherein may be implemented into a system using any suitably configuredhardware and/or software.

According to various embodiments, the access circuit 116 may beconfigured to store the sum of the group access key and a hash value.

According to various embodiments, the access circuit 116 may beconfigured to authenticate the user, wherein authenticating the user mayinclude: determining a public key related to the user, wherein thepublic key is based on a product of a first private key of the user anda second private key of the first user; determining whether the user isin possession of the first private key; and granting the userauthentication if it is determined that the user is in possession of thefirst private key.

According to various embodiments, determining whether the user is inpossession of the first private key may include: providing the user witha residual of a square of a pre-determined number with respect to thepublic key; receiving a number from the user in response to providingthe user with the residual of the square of the pre-determined numberwith respect to the public key; determining whether a residual of asquare of the received number with respect to the public key isidentical to the residual of a square of the pre-determined number withrespect to the public key; and determining that the user is inpossession of the first private key if it is determined that theresidual of the square of the received number with respect to the publickey is identical to the residual of the square of the pre-determinednumber with respect to the public key.

According to various embodiments, the access circuit 116 may beconfigured to administer access to the resource for a group of users,wherein the group of users includes at least one actual member and atleast one pseudo member.

According to various embodiments, the access circuit 116 may beconfigured to remove a pseudo member from the group is performed when anactual member is added to the group.

According to various embodiments, the access circuit 116 may beconfigured to multiply the group access key by a number equal to a userkey of the user to be added to the group multiplied by an inverse of auser key of the pseudo member to be removed from the group when theactual member is added to the group.

According to various embodiments, the access circuit 116 may beconfigured to add a pseudo member to the group is performed when anactual member is removed from to the group.

According to various embodiments, the access circuit 116 may beconfigured to multiply the group access key by a number equal to theinverse of a user key of the user to be removed from the groupmultiplied by a user key of the pseudo member to be added to the groupwhen the actual member is removed from the group.

According to various embodiments, a computer readable medium may beprovided. The computer readable medium may include instructions which,when executed by a processor, make the processor perform an accesscontrol method. The access control method may include: receiving from auser a request for access to a resource; determining a group access keyrelated to the resource; determining a user key of the user; determiningwhether the group access key is an integer multiple of the user key; andgranting the user access to the resource if it is determined that thegroup access key is an integer multiple of the user key.

FIG. 2 shows an illustration 200 of various data sets according tovarious embodiments. FIG. 2 shows the process of transforming the plaininformation from various agencies/users into encrypted strings which issent to the cloud/secure merging center and converted into the finaltable at the top.

According to various embodiments, data related to residents' finance orwealth analysis (for example residents' CPF (Central Provident Fund)spent distribution, residents' housing status, or correlations betweenthese accounts) may be shared without personal privacy leakage.

FIG. 3 shows an illustration 300 of such data. According to variousembodiments, the question who can access these shared data may beaddressed. Secure merging of such data may be provided. FIG. 3 shows theresult of the merging at the secure merging center which is a table withencrypted identifier (ID) and various columns of data which areassociated with the IDs.

FIG. 4 shows an illustration 400 of oblivious identification accordingto various embodiments, wherein it may be determined whether a user iswho he is claiming to be. According to various embodiments, azero-knowledge proof of identification may be provided. A first (NP)hard problem (NP1) 402 may be reduced to (or converted into) a second(NP) hard problem NP2, illustrated by 406, so that if NP2 (406) can besolved, this is a proof that NP1 (402) can (or could) be solved (inother words, a secret key 404, which is needed for solving NP1 (402) isknown by the user). It will be understood that an NP hard problem is aproblem which is non-deterministic polynomial-time hard (in other words,for which a solution may not be found in a time which may be expressedas a (finite) polynomial of the size of the problem).

FIG. 5 shows an illustration 500 of flexible group access controlaccording to various embodiments. According to various embodiments, itmay be determined whether a user is able (in other words: allowed; inother words: permitted) to access an object 502. Object 502 may be anaccess control bound object. According to various embodiments,verification may be performed with object attributes. According tovarious embodiments, oblivious identification and object's accesscontrol may be performed. Data of various users, for example illustratedby 506, 508, and 510, is shown.

According to various embodiments, an end user U, may have a secrecy (inother words: secret; in other words: secret key) which may include ormay be two big prime numbers (p_(u1), p_(u2)) and the correspondingpublic key may be N=p_(u1)p_(u2), i.e. the public key may be the productof the two big prime numbers p_(u1) and p_(u2). If a user claims that heis U, he should be able to show that he knows his secrecy (p_(u1), p₂),and his public key is N=p_(u1)p_(u2). If a plurality of users U_(i) withrespective public keys N_(i) exist, each N_(i) may be mapped into a bigprime member key P_(i)=f_(map)(N_(i)).

According to various embodiments, oblivious identification may beunderstood as follows. A user may prove that he is U without showing hissecrecy (p_(u1), p_(u2)) by taking a challenge to show his capability.According to various embodiments, if the end user can show he can findsquare roots for random quadratic residues in Z_(N)* (which may beunderstood as being the space of numbers modulo N), it means he knows(p_(u1), p_(u2)).

According to various embodiments, a resource (e.g. file, directory) maybe referred to as R. Given a resource R, its group access key is denotedas K_(R) which corresponds to the permission of accessing or using thisresource R and the value K_(R) may be used to evaluate who has thecorresponding permission or who has membership. A resource R may have aset of secure codes {R_(v)}={R_(v1), R_(v2), R_(v3), . . . }.

According to various embodiments, a group g may have n_(g) members {m₁,m₂, m₃, . . . , m_(ng)} who can access resource R. Each member m_(j) mayhave a corresponding prime number P_(j) for access authentication. Thegroup may also have n_(pt) pseudo members {m_(p1), m_(p2), m_(p3), . . ., m_(pt)}, so that n_(g)+n_(pt)=s_(g), and each pseudo member m_(pk) mayhave a corresponding prime number P_(pk).

According to various embodiments, oblivious identification may be basedon the principle of the hardness of finding square roots for quadraticresidues. If N=pq is the product of two distinct odd primes, thenfinding square roots for random quadratic residues in Z_(N)* is as hardas factorizing N. In other words, a person can find square roots forrandom quadratic residues in Z_(N)* iff (if and only if) he canfactorize N, which is equivalent to him knowing the secret (in otherwords, the two distinct prime number p, which may be referred to asp_(u1), and q, which may be referred to as p_(u2)). According to variousembodiments, oblivious identification may refer to identificationwherein the verification party can check the person's identity withoutknowing the person's secret.

In the following, oblivious identification for secure verification on acloud according to various embodiments will be described.

According to various embodiments, the secret related prime factoringproblem (in other words, the problem of finding prime numbers which area factor of a large number, and in the case of authentication theproblem of providing p_(u1) and/or p_(u2) in response to being providedwith the number N, wherein N=p_(u1) p_(u2)) may be converted into theproblem of providing square roots for random quadratic residues (inother words, the problem of finding ry mod N_(i) when provided with r²y²mod N_(i)); in other words, the square root problem may be used insteadof the factoring problem. Solving square roots for random quadraticresidues may prove the ability to factorize without the necessity toreveal the secrets related (in other words: the secret prime numbers).Thus the identity verification can be done without revealing the privateinformation of users, and can for example be carried out on a cloudenvironment. Users can verify that they are holders to the secretinformation that is linked to the public identifier N_(i). The obliviousidentification workflow can be as shown in illustration 600 of FIG. 6.The left side 602 of FIG. 6 may be related to the application running ona client (for example at an enterprise user), and the right part 604 maybe related to a module on the federated proxy which sits on cloudenvironment. Each enterprise user U_(i) has a secret keySK_(i)={pu_(1i), pu_(2i), s_(i)} and a public key PK={N_(i), I_(i)},wherein pu_(1i) and pu_(2i) are prime numbers, and N_(i)=pu_(1i)pu_(2i).The public key may be is shared with the proxy. The circles around r andβ in FIG. 6 are to indicate that the transcript of the protocol israndomized and thus is not susceptible to replay attacks.

A user may log into the identity system according to various embodimentsby giving his username U_(i) and password pwd_(i). The username andpassword may be verified as in a conventional authentication, like shownas step 1 in FIG. 6. If verified, the proxy may give a dynamic sessionchallenge x to the user, where x=y² mod N_(i), as step 2 in FIG. 6. Theuser may generate another random number r and send back of r²x mod N_(i)to server, wherein r²x mod N_(i) may be denoted as x*. The server mayrandomly choose a nounce from {0,1} and challenge the client. The clientmay give the corresponding solution accordingly and send back to server,as step 5 in FIG. 6. It can be seen that the client sends either ry modN_(i) or the masked number rs_(i)y mod N_(i). In both cases, the userproves that he is able to determine the residual square y of y², andthat thus he is in possession of the prime numbers p_(u1,i) andp_(u2,i). The server doesn't know s_(i), but can verify whether the userindeed is U_(i) as he has claimed.

The protocol as shown in FIG. 6 is used to authenticate the identity ofthe client. According to various embodiments, with the steps asdescribed above and shown in FIG. 6, the client has to possess p_(u1)and p_(u2) to derive y from x. It is to be noted that obtaining ythrough a lucky guess can occur with probability1/[(p_(u1)−1)(p_(u2)−1)]. Repeating the protocol several times andrequiring that all of them verify successfully may reduce the chances offalse authentication by lucky guesses.

It is to be noted that as used in the description of the process, theserver may be understood as the federated proxy and the client may beunderstood as the application running on enterprise staff's workstation.

The identification according to various embodiments is followed byaccess control according to various embodiments. To provide group accesscontrol, each identity is mapped to a prime number as (N_(i), P_(i)),where P_(i) is used as a member key for group management. A table 606 ismaintained at the federated proxy with {U_(i), N_(i), P_(i)}, as shownin FIG. 6. In the following, access control details will be described.

According to various embodiments, a (shared) group access key for aresource R_(sv) (which may be an i-th resource) may be defined as

K _(R) _(sv) =ΠR _(vn) ·ΠP _(j) where j=1˜sg  (1)

wherein each P_(j) may map to an N (which may correspond to anidentification of a user, like illustrated by table 606 in FIG. 6).

In other words, each file is associated with a resource identifierRs_(v) and a public value, ΠRs_(v)·ΠP_(j)+H(k_(h),Rs_(v)) (whereinRs_(v) are random masks, and P_(j) is associated to N_(j), which is athe public parameter for user j). The group that is allowed to accessthe file is the set of users q with P_(q) in the public value. Verifyingthat user q has access rights requires that the virtual group keymanager processes the public value by removing H(k_(h), Rs_(v)) and thenchecking the remaining term ΠRs_(v)·ΠP_(j) is divisible by P_(q).

An example of equation (1) may be as follows: K_(R) _(S1)=(R₁₁·R₁₂·R₁₃·R₁₄·R₁₅)·ΠP_(j)

As formulated in equation (1), the group access key K_(R) _(sv) forresource R_(sv) is defined as the multiplication of its resource securecodes followed by the other multiplication of the group members' primes.

Regarding the multiplication, it is to be noted that the group membersdo not only include the group's real group members but also the pseudomembers, with allows for a fixed group size s_(g), even if member arejoining the group or leaving the group. Thus, the group size and keysize are hidden, like illustrated in the left column 702 of illustration700 of FIG. 7.

However, such kinds of (access) control keys are stored on a cloudstorage, where the cloud provider can analyze common primes amongdifferent resources with a greatest common divisor (gcd), as shown inillustration 700 of FIG. 7. According to various embodiments, to avoidthat the cloud provider can perform such an analysis, noise may be addedbefore sending it to cloud by adding a hash value H(k_(h), R_(v)), likeillustrated by the right column 706 of FIG. 7, and as shown in equation(2) below, wherein k_(h) is a key for the hash function. k_(h) may beused to keep the exact hash function private and reduce the likelihoodof breaking the scheme. Only with k_(h) can the correct values H(k_(h),R_(v)) be obtained to remove the blinding masks.

K _(R) _(sv) =ΠR _(vn) ·ΠP _(j) +H(k _(h) ,R _(v))

for example K _(R) _(S1) =(R ₁₁ ·R ₁₂ ·R ₁₃ ·R ₁₄ ·R ₁₅)·ΠP _(j) +H(k_(h) ,R ₁)  (2)

This hash value can effectively hide the common users, at least thenumber of common users hacked using gcd, by adding a random number. Thisprotection is against the other tenants and service providers from thecloud, which is managed by the VGKM, and does not bother the key managerat the trusted side (in other words: the key manager need not beinvolved in the protocol and the unmasking can be “outsourced” ordelegated to a virtual group key manager) Adding the hash may requirethe proxy to maintain the hash key and may add computational overhead tocompute this function before/after sending/getting metadata from cloudstorage.

According to various embodiments, when a new member m_(u) joins into theshared group, the group key may be securely computed (in other words:updated) as shown in equation (3). The member key of m_(u) may be maskedby one of the pseudo member's member key reversed (P_(pj) ⁻¹).

K _(R) _(sv) =(K _(R) _(sv) −H(k _(h) ,R _(v)))·P _(u) ·P _(pj) ⁻¹ +H(k_(h) ,R _(v))  (3)

By this method of update, the member key may be protected and the keysize may be maintained regardless of resource key, while no action isrequired from the other users.

According to various embodiments, when a member m_(u) leaves the sharedgroup, the group key may be securely computed (in other words: updated)as shown in equation (4). The member key of m_(v) is masked by a newpseudo member key P_(pu), by which the group access key is multiplied,so that the group size is still s_(g).

K _(R) _(sv) =(K _(R) _(sv) −H(k _(h) ,R _(v)))·P _(v) ⁻¹ ·P _(pu) +H(k_(h) ,R _(v))  (4)

Masking as described above according to various embodiments may preventkey leakage, like illustrated by middle column 704 of the illustration700 of FIG. 7.

It will be understood that the actual group access key used does notinclude the hash term H(k_(h), R). As such, when a member m_(u) joinsthe group, the key is updated to be (K_(R) _(sv) −H(k_(h),R))·P_(u)·P_(pk) ⁻¹, whereas the value stored on the cloud is updated toK_(R) _(sv) =(K_(R) _(sv) −H(k_(h), R))·P_(u)·P_(pk) ⁻¹+H(k_(h), R_(v)),and no action from other users is required. Likewise, when a member mleaves the shared group, the key is updated to be (K_(R) _(sv) −H(k_(h),R))·P_(pk)·P_(v) ⁻¹, whereas the value stored on the cloud is updated toK_(R) _(sv) =(K_(R) _(sv) −H(k_(h), R))·P_(pk)·P_(v) ⁻¹+H(k_(h), R_(v)),and no action from other users is required.

By this method of update, the revoked member key is protected, theresource key is protected and the key size is maintained. The protectionof common group users is the same as described in relation to a newmember joining. Likewise, no action is required from other users.

In the following, workflow in operation according to various embodimentswill be described. It will be understood that steps as described inrelation to the methods shown in FIG. 8, FIG. 9, FIG. 10, and FIG. 11are illustrated as hexagons with the numbers (e.g. 1, 2, 3, . . . )inside, and these steps may be different or identical amongst FIG. 8,FIG. 9, FIG. 10, and FIG. 11. For example, step 1 illustrated in FIG. 8may be different from step 1 illustrated in FIG. 9, like will bedescribed in the following. For example, step 2 illustrated in FIG. 10may be identical or similar to step 2 illustrated in FIG. 11. Details oneach of the steps will be provided in the following.

FIG. 8 shows an illustration 800 of data sharing on the cloud accordingto various embodiments. A cloud storage 802 may store data (for examplea file F1 to be shared in a group of users). An end user U_(i) 804 maybe a member of the group and may request access to the file F1. Avirtual group key manager 806 (VGKM; in other words: an access controldevice according to various embodiments) may perform obliviousidentification, flexible group authentication, and group membermanagement. The virtual group key manager 806 may make use of a keymanager 808 for identity management (illustrated as step 1 in FIG. 8).It will be understood that the key manager 808 may be part of thevirtual group key manager 806 or may be provided separate from thevirtual group key manager 806. The virtual group key manager 806 maysecurely manage access control for the cloud resource (for example filesstored on the cloud storage 802, or for any other kind of resources, forexample for a computational service provided (not shown in FIG. 8)). Thevirtual group key manager 806 may provide flexibility, as no othermembers than the user joining the group or leaving the group areaffected when a user joins or leaves the group. Step 2 shown in FIG. 8may include checking and verifying the user U_(i)'s identity (in otherwords: authentication of user U_(i)). Step 3 shown in FIG. 8 may includegroup member checking (in other words, checking, whether user U_(i) is amember of the group which has access rights to the file on the cloudstorage).

FIG. 9 shows an illustration 900 of data uploading to a cloud (forexample for sharing data) according to various embodiments. The virtualgroup key manager (VGKM) 806 may securely manage access control for thecloud resource 802. No interaction with the trusted key manager 808 maybe necessary. Each resource may have the same group size (by making useof pseudo members) to prevent leakage. Each group key may have the samelength (by making use of pseudo members) to prevent prediction.

When an object is first send to cloud, the object and its metadata maybe put into the cloud. Before uploading to the cloud, the object'smetadata may define who has what right to access this object. Accordingto various embodiments, a big number, which is the resource control keymultiplied with the multiplication of all group member's prime numberkeys, may be used to define this object's access control information.This computation may be carried out on the trusted key manager, and theresult may be forwarded to the VGKM (as step 1 shown in illustration 900of FIG. 9, wherein the user key may be set and the resource key may beset). The VGKM may further do metadata masking, and may upload themasked metadata and data to cloud. In step 2 illustrated in FIG. 9, theuser may provide a file (for example referred to as F1) to share andattributes of the file (for example which group may have access to thefile). In step 3 illustrated in FIG. 9, oblivious identification of userU_(i) may be carried out using N_(i) and I_(i) as described above.Metadata may be generated, including a resource key R_(F) ₁ for theresource F₁ as described above. The group size may be kept at s_(g) byuse of pseudo members, and a hash value H(k_(h), R_(v)) may be added toavoid that members common to the same groups may determine secret keys.In step 5 as illustrated in FIG. 5, the metadata and the file F₁(901)are stored on the cloud.

FIG. 10 shows an illustration 1000 of secure data sharing within a groupaccording to various embodiments will be described. In step 1 asillustrated in FIG. 10, user U_(l) 804 may transmit his attributes andinformation about the new user U_(l) to the VGKM 806. The VGKM mayperform oblivious ownership checking, like indicated by step 2 in FIG.10. If an object is to be shared with a new user U_(l), the metadatainformation may be updated, and two steps may be desired: 1) masking newuser's key by multiply a masked random number (random choosing from thepseudo members' primes and getting its reverse or inverse) to the user'sprime number, like indicated by step 3 in FIG. 10; 2) multiplying theexisting group control key with this new masked key. With these twosteps, the new group control key has the new member's prime number as adivisor, and thus the membership of user U_(i) to the group can bechecked. The above two steps may occur at the trusted server, likeindicated by step 4 of FIG. 10, and the results may be forwarded to theVGKM, like indicated by step 5 of FIG. 10. The VGKM may do furthermasking, may update the metadata and may then upload and store themetadata on the cloud. While the other group users are transparent tothis change, they do not need to take any actions.

FIG. 11 shows an illustration 1100 of secure member revocation accordingto various embodiments. In step 1 as illustrated in FIG. 11, user U_(i)804 may transmit his attributes and information about the to be revokeduser U_(l) to the VGKM 806. The VGKM may perform oblivious ownershipchecking, like indicated by step 2 in FIG. 11. When a user U_(l) leaves(or left) the group (in other words, when a user U_(l) is to berevoked), his membership has to be revoked. In order to securely revokehis key, according to various embodiments, the proxy may carry out asecure division on this key. First, the reverse (or inverse) of thisuser's prime is extracted. Secondly, the reverse is multiplied with anew pseudo random member's prime (this multiplication may also bereferred to as masking; like illustrated in step 3 in FIG. 11). Theresult, as a revocation information, is sent to proxy. Fourth, the proxymay multiply the current group key with the received “revocation key” tocomplete the member revocation. This process does not leak any grouprelated information, even to the proxy while other group members aretransparent to this change. In order to securely store the key to thecloud, the VGKM may do (another) masking by adding a random number (forexample the hash value as described above) to the metadata beforeupdating the cloud metadata (like illustrated by step 5 in FIG. 11), asthe metadata process of secure sharing. In step 4 in FIG. 11, the newkey information is sent to the cloud storage 802.

For performance evaluation, the group access control scheme according tovarious embodiments may be integrated with dropbox and experiments maybe performed to verify the correctness of the scheme and measure itsperformance overhead and storage capacity added.

The time taken to upload and download files of variable size may bemeasured to determine the performance overhead incurred by the trustedproxy according to various embodiments. The total data transferring timefrom access control, data encryption/decryption, deduplication toupload/download with the proxy according to various embodiments may becompared with commonly used Dropbox applications.

Table I shows experimental results of uploading speed analysis.

TABLE I UPLOADING SPEED ANALYSIS RESULTS File Size With Proxy WithoughProxy 180 Kb pdf approx. 7 secs  <3 secs 6.5 Mb Audio File approx 45secs <20 secs 40 Mb Video clip 2 mins approx. 1-2 mins >230 Mb Zip file5 mins    4 mins

The experiments which lead to the data shown in Table I have beencarried out with Dropbox using its core API (application programminginterface). A proxy was setup to use Dropbox storage as dump storage.The overhead observed may be due to metadata update. According tovarious embodiments, the proxy may be scaled to compensate for theperformance loss. As can be seen from Table I, the bigger the size ofthe file under consideration, the smaller is the (relative) gap (orperformance loss).

Download speed results are listed in Table II below. Various embodimentsmay have slight difference for download performance, with 1-2 secondsfor a small file and within a minute for a big file. The reason may bethat the access control mechanism according to various embodimentsrequires a simple mathematical divisions and multiplications. Regardingscalability, multiple proxy nodes may be set to perform access control.

TABLE II DOWNLOAD SPEED ANALYSIS RESULTS File Size With Proxy WithoughProxy 180 Kb pdf approx 4 secs 1-2 secs 6.5 Mb Audio File approx 30 secs<20 secs 40 Mb Video clip 2 mins 1 mins >230 Mb Zip file approx 7 mins 7mins

As shown in Table II, there is less overhead for downloading, and thebigger the size of data is, the smaller is the gap in overhead.

With respect to capacity overhead, since to each file there will beadded 64 bytes of capacity to store the metadata, the access controlkey, the capacity overhead is acceptable.

As described herein, cloud storage may provide flexible resource accessand elastic storage capacity, which attracts users, for exampleenterprise users. However, users may worry about data accessed by otherillegitimate users or cloud provider since the data is stored on cloud.If user can control who can access their resources on the cloud withoutsacrificing cloud's benefit, they would make full usage of cloud storageas their data warehouse.

According to various embodiments, secure access control is provided, forexample on resources over storage cloud. According to variousembodiments, a customized, for example enterprise customized, accesscontrol proxy is provided, for example in a cloud (in other words: theaccess control proxy is sitting on cloud).

According to various embodiments, oblivious identification is provided.Since the proxy is provided on the cloud, it may be volatile to becompromised. It should not keep sensitive information. Obliviousidentification according to various embodiments may provide secureidentification checking without knowing and keeping the identity'ssecret.

According to various embodiments, secure and flexible access control isprovided. An efficient and flexible mechanism for users to shareresources over cloud is provided. Access control update (when a user isjoining the group or a user is leaving the group) will not botherexisting users in the group while keeping sensitive control informationhidden.

Various embodiments may be practical with little overhead to make theembodiments applicable to enforce on the cloud infrastructure.

According to various embodiments, data leakage may be avoided, forexample by keeping the group size at a constant size by introducingpseudo members as described above, by masking the key information asdescribed above, and by adding a noise value to the group access key asdescribed above to avoid common group users making used of approximategcd methods to determine the keys.

According to various embodiments, security is provided, as no privatekey is revealed (but only checking is performed). Backward secrecy maybe provided. Forward secrecy may be provided. According to variousembodiments, flexible access control may be cloud applicable byproviding protection against information leakage.

According to various embodiments, flexibility of members joining orleaving the group is provided. According to various embodiments,flexible access control may be flexible by avoid interaction from otherusers (other users than the user joining or leaving the group).

According to various embodiments, security is provided at only a lightperformance loss compared to an unsecured environment. In other words,according to various embodiments, flexible access control may beprovided in a cost effective way by reduced computational complexity.

The access control device as described herein may be similar to acomputer system 1200, schematically shown in FIG. 12. It may beimplemented as software, such as computer programs being executed withinthe computer system 1200, and instructing the computer system 1200 toconduct the methods of the example embodiments. Similarly, portions ofthe computer system 1200 may be embodied in the access control device ofthe example embodiments.

The computer system 1200 may include a computer module 1202, inputmodules such as a keyboard 1204 and mouse 1206 and a plurality of outputdevices such as a display 1208, and printer 1210.

The computer module 1202 may be connected to a computer network 1212 viaa suitable transceiver device 1214, to enable access to e.g. theInternet or other network systems such as Local Area Network (LAN) orWide Area Network (WAN).

The computer module 1202 in the example may include a processor 1218, aRandom Access Memory (RAM) 1220 and a Read Only Memory (ROM) 1222. Thecomputer module 1202 may also include a number of Input/Output (I/O)interfaces, for example I/O interface 1224 to the display 1208, and I/Ointerface 1226 to the keyboard 1204. The components of the computermodule 1202 may communicate via an interconnected bus 1228 and in amanner known to the person skilled in the relevant art.

The application program may be supplied to the user of the computersystem 1200 encoded on a data storage medium such as a CD-ROM or flashmemory carrier and may be read utilizing a corresponding data storagemedium drive of a data storage device 1230. The application program maybe read and controlled in its execution by the processor 1218.Intermediate storage of program data may be accomplished using RAM 1220.

While exemplary embodiments have been presented in the foregoingdetailed description of the invention, it should be appreciated that avast number of variations exist.

It should further be appreciated that the exemplary embodiments are onlyexamples, and are not intended to limit the scope, applicability,operation, or configuration of the invention in any way. Rather, theforegoing detailed description will provide those skilled in the artwith a convenient road map for implementing an exemplary embodiment ofthe invention, it being understood that various changes may be made inthe function and arrangement of elements and method of operationdescribed in an exemplary embodiment without departing from the scope ofthe invention as set forth in the appended claims.

1. A secure access control method for enabling secure access to aresource for a group of users without disclosing user privateinformation, the method comprising: receiving from a user a request foraccess to the resource; determining a user key of the user in responseto the request to access the resource, the user key comprising one oftwo or more prime numbers associated with the user; determining a groupaccess key related to the resource in response to information associatedwith the resource, the group access key having been generated frommultiplying together the two or more prime numbers associated with eachuser of the group, and wherein the group includes at least one actualmember and at least one pseudo member; determining whether the groupaccess key is an integer multiple of the user key; and granting the useraccess to the resource if it is determined that the group access key isan integer multiple of the user key.
 2. The access control method ofclaim 1, wherein the information associated with the resource used fordetermining a group access key related to the resource comprises the sumof the group access key and a hash value.
 3. The access control methodof claim 2, further comprising: authenticating the user.
 4. The accesscontrol method of claim 3, wherein authenticating the user comprises:determining a public key related to the user, wherein the public key isbased on a product of a first private key of the user and a secondprivate key of the user, wherein the first private key and the secondprivate key each comprise a large prime number of the two or more largeprime numbers associated with the user; determining whether the user isin possession of the first private key; and granting the userauthentication if it is determined that the user is in possession of thefirst private key.
 5. The access control method of claim 4, whereindetermining whether the user is in possession of the first private keycomprises: providing the user with a residual of a square of apre-determined number with respect to the public key; receiving a numberfrom the user in response to providing the user with the residual of thesquare of the pre-determined number with respect to the public key;determining whether a residual of a square of the received number isidentical to the residual of the square of the pre-determined numberwith respect to the public key; and determining that the user is inpossession of the first private key if it is determined that theresidual of the square of the received number is identical to theresidual of the square of the pre-determined number with respect to thepublic key.
 6. (canceled)
 7. The access control method of claim 1,further comprising: removing a pseudo member from the group when anactual member is added to the group.
 8. The access control method ofclaim 7, further comprising: multiplying the group access key by anumber equal to a user key of the user to be added to the groupmultiplied by an inverse of a user key of the pseudo member to beremoved from the group when the actual member is added to the group. 9.The access control method of claim 1, further comprising: adding apseudo member to the group when an actual member is removed from to thegroup.
 10. The access control method of claim 9, further comprising:multiplying the group access key by a number equal to the inverse of auser key of the user to be removed from the group multiplied by a userkey of the pseudo member to be added to the group when the actual memberis removed from the group.
 11. An access control device for securelymanaging access to a resource by a group of users, the access controldevice comprising: a receiver configured to receive from a user arequest for access to the resource; an access circuit coupled to thereceiver and configured to determine a user key of the user in responseto the request to access the resource, the user key comprising one oftwo or more prime numbers associated with the user; wherein the accessis configured to determine a group access key related to the resource inresponse to information associated with the resource, the group accesskey having been generated from multiplying together the two or moreprime numbers associated with each user of the group, and wherein thegroup includes at least one actual member and at least one pseudomember; wherein the access circuit is configured to determine whetherthe group access key is an integer multiple of the user key; and whereinthe access circuit is configured to grant the user access to theresource if it is determined that the group access key is an integermultiple of the user key.
 12. The access control device of claim 11,wherein the access circuit is configured to store the informationassociated with the resource used for determining a group access keyrelated to the resource as the sum of the group access key and a hashvalue.
 13. The access control device of claim 11, wherein the accesscircuit is configured to authenticate the user, wherein authenticatingthe user comprises: determining a public key related to the user,wherein the public key is based on a product of a first private key ofthe user and a second private key of the use, wherein the first privatekey and the second private key each comprise a large prime number of thetwo or more large prime numbers associated with the user; determiningwhether the user is in possession of the first private key; and grantingthe user authentication if it is determined that the user is inpossession of the first private key.
 14. The access control device ofclaim 13, wherein determining whether the user is in possession of thefirst private key comprises: providing the user with a residual of asquare of a pre-determined number with respect to the public key;receiving a number from the user in response to providing the user withthe residual of the square of the pre-determined number with respect tothe public key; determining whether a residual of a square of thereceived number is identical to the residual of the square of thepre-determined number with respect to the public key; and determiningthat the user is in possession of the first private key if it isdetermined that the residual of the square of the received number isidentical to the residual of the square of the pre-determined numberwith respect to the public key.
 15. (canceled)
 16. The access controldevice of claim 11, wherein the access circuit is configured to remove apseudo member from the group is performed when an actual member is addedto the group.
 17. The access control device of claim 16, wherein theaccess circuit is configured to multiply the group access key by anumber equal to a user key of the user to be added to the groupmultiplied by an inverse of a user key of the pseudo member to beremoved from the group when the actual member is added to the group. 18.The access control device of claim 11, wherein the access circuit isconfigured to add a pseudo member to the group is performed when anactual member is removed from to the group.
 19. The access controldevice of claim 18, wherein the access circuit is configured to multiplythe group access key by a number equal to the inverse of a user key ofthe user to be removed from the group multiplied by a user key of thepseudo member to be added to the group when the actual member is removedfrom the group.
 20. A computer readable medium comprising instructionswhich, when executed by a processor, make the processor perform a secureaccess control method for securely accessing a resource by a user of agroup without disclosing user private information, the secure accesscontrol method comprising: receiving from a user a request for access tothe resource; determining a user key of the user in response to therequest to access the resource, the user key comprising one of two ormore large prime numbers associated with the user; determining a groupaccess key related to the resource in response to information associatedwith the resource, the group access key having been generated frommultiplying together the two or more large prime numbers associated witheach user of the group, the group including at least one actual memberand at least one pseudo member; determining whether the group access keyis an integer multiple of the user key; and granting the user access tothe resource if it is determined that the group access key is an integermultiple of the user key.
 21. The secure access control method of claim1, wherein each of the two or more prime numbers associated with eachuser of the group comprises a large prime number.
 22. The access controldevice of claim 11, wherein each of the two or more prime numbersassociated with each user of the group comprises a large prime number.